Managing Admin Roles restrictions in Exchange Server 2013

Share this:

Hello my friends,

In Today’s post we will continue were we left off Yesterday. Yesterday, we configure a regular user to have permissions to manage recipients but Today we want to be more restrictive and allow the same user to have only permission in a specific Organization Unit for example, let’s use the following scenario in this post.

Scenario: The regular user Anderson must have permissions to manage recipients only in a specific OU (Organization Unit) called Porto Alegre.

In order to do that we can copy the existent admin role and work on that (adding or removing roles) to adapt to your environment. Let’s get the same Recipient Management and let’s click on copy

image

In the new page let’s label our new admin role and in our scenario we are going to use PortoAlegre-RecipientManagement and let’s restrict this admin role by Organization Unit and we need to type in the Organization Unit field (in the next picture I show you how to get the proper name).

image

If you want to just copy and paste the name required on the previous page, let’s open Active Directory Users and Computers, and let’s click on View and then let’s make sure that Advanced Features is selected. Then, right-click on the desired OU (Organization Unit) and let’s click on Properties and then let’s go to the Object tab, finally copy and paste the path from the first field and that is the information that we are going to use on the EAC.

image

A final note before testing is to make sure that our regular user that we are testing does not belong to any other admin role group.

Test #01: Regular user tries to create an user using default settings..

If our regular user tries to create an user using just default settings like the image below

image

The result it is a failure, as shown in the figure below. The reason is that by default the user are created under Users container in Active Directory.

image

Another good example is if the user tries to edit information of any user outside of PortoAlegre OU, the result will be similar to this figure where he is not able to change anything.

image

Test #02: Regular user tries to create an user under PortoAlegre OU…

Now we are talking.. since the regular user has permissions only on that OU when the user select the right OU the user mailbox creation will be successful.

image

Now, if the regular user (anderson) tries to edit a mailbox that belongs to the OU Porto Alegre, then he will be able to manage the attributes, as follows:

image

Written by Anderson Patricio

Anderson Patricio

Anderson Patricio is a Canadian MVP in Cloud and Datacenter Management, and Office Server and Services, besides the Microsoft Award he also holds a Solutions Master (MCSM) in Exchange and several other certifications. Anderson has been contributing to the Microsoft Community with articles, tutorials, blog posts, twitter, forums and book reviews. He is a regular contributor here at ITPROCentral.com, MSExchange.org, Techgenix.com and Anderson Patricio.org (Portuguese).